The press release informing the media that eBay customers will be asked to change their passwords as a result of a 'cyberattack that compromised a database' isn't so much about the lost passwords, which admittedly were encrypted. It's about the psychology of announcing to 233 million people that their personal information is now in the hands of criminals, and doing so nonchalantly.
In the same press release - the same opening paragraph, actually - eBay's PR team tells us that 'changing passwords is a best practice and will help enhance security for eBay users'. That very well may be, under normal circumstances, but in this case, it amounts to nothing more than patronizing busywork for millions of people.
How many people is 233 million? It's larger than the population of Russia. Bigger than Brazil. Larger than the bottom 239 countries of the world. If eBay were a country, only 4 others would be larger. That helps put things in perspective, because you'll need it.
Moving on. The matter of password changes being a best practice. eBay should know about best practices, after all, it's a founding member of the renowned Cloud Security Alliance, created specifically for that purpose. The letter of announcement that my personal information is now in the hands of criminals is as good a time as any to refresh my memory about security best practices. Practice makes perfect, as we all know. And 'best' practices must therefore be even better. But what about eBay's enforcement of best practices in handling this breach? Asking the right questions is certainly a best practice in my industry, but let's limit ourselves to the following 5, because time is of the essence:
1. The breach took place over an extended period of time between February and March. Why did it take approximately 100 days for us to find out about it? Why did eBay only find out it was breached 'about two weeks ago'? Interestingly, that seems to coincide with the precise moment its stock price hit its lowest point this year!
All cynicism aside, that's 100 days criminals have had to parcel out and sell our information, use it, test it on other systems and websites and companies that probably haven't yet figured out that the person who called their support department 2 weeks ago is not you.
2. Where in the company's announcement is there mention of two-factor authentication? That's a much more important element of security than passwords and certainly, when it comes to reminding people about best practices, this letter would have been a good place to include a comforting note.
That note isn't there, prompting us to wonder if eBay's implementation of 2-factor logins could stand up to this latest attack. This is a major omission that will no doubt be rectified time and time again by pundits and the company's spokespeople, albeit retroactively.
3. The final paragraph reminds users to change their passwords on other sites, where their eBay password might have been used. In fact, it 'encourages' them to do so ostensibly because of the aforementioned 'best practices'. This means a couple of things:
- remember how we mentioned in the first paragraph that the password database is encrypted? It was, but 100 days later, it probably is no longer. And anyways, since hackers gained direct access to the data, chances are they also had access to the passwords.
- remember how we mentioned that the database didn't contain financial information or other confidential personal information? That is, aside from access to your eBay transaction record, your home (or work) addresses, your phone number, your email address and your date of birth. More than any support representative will ask you for when you call to update your cell phone info, your TV cable bill or just about anything not requiring a second factor for authentication.
The company said it has seen no indication of increased fraudulent account activity on eBay. The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users.
So you can rest assured that for those 100 days when your data was compromised and for the two weeks that eBay spent not notifying you of their failure to protect your information, there was no more fraud on the auction site than usual. Could you have used that time to prevent fraud on all the services and sites that might use the lost data to identify you? Never mind.
Is that it?
Have a look at your Account Settings, under Personal Information and you'll find links to PayPal, to your "secret" security question, to your eBay page and to your Applications tab. I don't need to get into how these can be accessed, hijacked or used, but suffice it to say that 'best practices' should also include reminding people to review their entire Settings section to be aware of how it might be used against them in the future. How might it look on a bank statement? What should you look for in your Paypal transaction list?
Would 'best practices' include eBay performing an internal review of exactly how many customers use their password on PayPal as well? If so, should their Crisis Communication Plan, Breach Management Procedures and Incident Response Policies include a special process for notifying those users of the exponentially higher risk of compromise?
4. Speaking of notifying users, the surprising omission of even the smallest reminder to be vigilant about the authenticity of future emails that will appear to be coming from it is worth mentioning. It states:
"Beginning later today, eBay users will be notified via email, site communications and other marketing channels to change their password. In addition to asking users to change their eBay password, the company said it also is encouraging any eBay user who utilized the same password on other sites to change those passwords, too."
This opens the door to a huge number of opportunities for cybercriminals who - weren't smart enough to hack into the company to begin with - to reap the benefits of this massive breach.
Because not having 'first mover advantage' shouldn't mean getting excluded from the table, spammers, phishers, fraudsters and other bottom-feeders are no doubt already polishing their fake eBay warning messages and password change notifications. And they'll send them out to hundreds of millions of us because hey, when your target audience is as large as half of the entire European Union, it's likely to result in more hits than misses.
Thanks to eBay's intrepid Investor Relations team, you can expect to be exposed to these scams not just via email but through 'other marketing channels' as well. That means social media, website ads, search engine results and of course mobile/text messages.
Not that I'm picky, but the wording "beginning later today" doesn't specify an end date, so although you may have already changed your password, unless you've already bought another house, changed your phone number and altered your birth certificate, your concerns should extend to the long term. Rest assured, your password is already in a rainbow table somewhere. It's the permanent, personal information you need to care about.
Had enough? Hang in there, we're almost done.
5. Again, best practices - if you're really concerned about the security of your customers - mean that you don't just 'encourage them to change their passwords. You go ahead and reset them yourself. You don't wait for them to get home and find the time to include this in their schedules, because if you think about it, changing a password may only take 5 minutes, but if you do the math that adds up to oh... some 2216 years!
That's an interesting thought in itself, because in most of those 'bottom 239 countries', the average life expectancy is way lower than 78 years. Which means that if you thought you'd get away with *only* spending some 28.4 lifetimes changing your eBay password you might be in for a sinister surprise. Heck, it may take you more than 40; and that's without even counting your password changes on other sites. All in the name of best practices, of course.
But I digress. the company clearly stated that "information security and customer data protection are of paramount importance to eBay Inc." (nothing beats the inclusion of that 'inc' to make you feel warm and fuzzy and protected) so it is clear that we should have no concerns about the management (and legal) team's commitment to your safety.
In fact, "eBay regrets any inconvenience or concern that this password reset may cause our customers". So much so that they won't inconvenience you by resetting it themselves, putting a stop to the possibility of having it hacked between the time you hear about it on the radio and the moment you choose to sit down and make that password change (some time after putting the kids to bed, scrutinizing bank statements, checking your bills and doing the dishes, that is).
For me, the password reset was smooth. I was asked to enter my old, compromised password no less than 3 times and to check my cell phone twice for my second factor token. If I can do it in 5 minutes, so can Grandma. No excuses. It's all about best practices.